As we approach Pwn2Own 2018, I’m reminded of some of the exploits we saw at last year’s contest. Of course, the most interesting bugs we saw involved guest-to-host escalation in VMware. Recently, we presented “l’art de l’évasion: Modern VMware Exploitation techniques” at OffensiveCon in Berlin (Hats off for the great conference!). The talk focused on exploitation techniques that have been used in the past year to exploit different vulnerability types in VMware Workstation. I’ve previously discussed Use-After-Free (UAF) VMware exploits affecting drag-and-drop (DnD) and triggered by Remote Call Procedure requests. If you haven’t read that blog yet, you may want to start there. Once you’re done with that blog, check out former Mobile Pwn2Own winner Amat Cama’s blog covering a heap-based buffer overflow exploit that Chaitin Security Research Lab planned to use at Pwn2Own last year. Unfortunately for them, the bug he describes was patched the day before the contest and thus couldn’t be used. Still, it’s a great write-up and should be considered foundational knowledge for VMware exploitation.
This blog builds off both of those topics by introducing the more complex exploitation technique of using uninitialized buffers and variables. Keeping with the Pwn2Own theme, my colleague Jasiel Spelman (@WanderingGlitch) and I had a look at what the folks from 360 Security used to execute code in the hypervisor from the guest OS, earning themselves $105,000 USD in the process. They leveraged a heap overflow in Microsoft Edge, a type confusion in the Windows kernel, and – most importantly – an uninitialized buffer in VMware Workstation for a complete virtual machine escape. It’s this specific bug that we detail here.
Before we explain the details of the bugs involved, here’s a quick video showing the full exploit chain in action: